This topic describes how to configure a whitelist for an ApsaraDB for RDS instance. Only entities that are listed in a whitelist can access your RDS instance.

Background information

Whitelists make your RDS instance more secure and do not interrupt the operation of your RDS instance during configuration. We recommend that you maintain whitelists on a regular basis.

Note The IP address whitelist labeled default contains only the default IP address, which denies all entities access to your RDS instance.

Precautions for configuring an IP address whitelist

  • You can edit or clear a default IP address whitelist, but cannot delete it.
  • You can configure up to 200 IP address whitelists for an instance.
  • Each instance can contain up to 1,000 IP addresses or CIDR blocks. If you want to add more than 1,000 IP addresses, we recommend that you combine the addresses into CIDR blocks such as
  • If you attempt to log on to Data Management (DMS) from your RDS instance without adding your IP address to a whitelist, DMS will prompt you to add the address. By default, DMS automatically creates a whitelist that contains your IP address.
  • ali_dms_group (IP address whitelist of DMS) and hdm_security_ips (IP address whitelist of DAS) are automatically created when you use the related services. To ensure that the services run normally, do not modify or delete these whitelists.
    Note Do not add your business IP addresses to these whitelists. Otherwise, your business IP addresses will be overwritten during update operations and you will not be able to access the RDS instance.


  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Edit corresponding to the default whitelist.
    Note You can also click Create Whitelist to create an IP address whitelist.
  6. In the Edit Whitelist dialog box that appears, enter the IP addresses or CIDR blocks used to access the instance, and then click OK.
    • After you add IP addresses or CIDR blocks to the IP address whitelist labeled default, the system deletes the default IP address
    • If you enter the CIDR block in the IP Addresses field, all IP addresses in the 10.10.10.X format are granted access to your RDS instance.
    • If you enter more than one IP address or CIDR block, you must separate them with commas (,). Do not add spaces before or after the commas. Example:,
    • If you click Add Internal IP Addresses of ECS Instances, the IP addresses of all created ECS instances within your Alibaba Cloud account are displayed. You can select the required IP addresses to add to the whitelist.

Common errors

  • Only the default IP address is added to an IP address whitelist in the Data Security > Whitelist Settings navigation path.

    The default IP address indicates that all entities are denied access. Therefore, you must add the IP addresses of entities that require access to your RDS instance to the whitelist.

  • The IP address in the whitelist is set to

    To grant all entities access to your RDS instance, you must instead enter the CIDR block.

    Note Exercise caution when you add this CIDR block.
  • The public IP addresses that you add to a whitelist may not be the real egress IP addresses of the devices that require access to your RDS instance. Possible reasons are as follows:
    • Public IP addresses are not static and may change.
    • The tool or website you use to query public IP addresses yields inaccurate results.


  • Does an IP address whitelist take effect immediately after it is configured?

    An IP address whitelist takes effect approximately one minute after it is configured.

  • Why do I find IP address whitelists that are not created by me?

    If these whitelists contain internal IP addresses, they are probably generated by other Alibaba Cloud services such as DMS or DAS and will not call operations on your service data.

    IP address whitelist created by DAS
  • Is my RDS instance exposed to security risks if I only enable internal network access and disable Internet access?

    We recommend that you change the network type of your RDS instance to VPC. Only ECS instances within the same VPC can access your RDS instance after their IP addresses are added to the whitelists. For more information, see Change the network type of an ApsaraDB RDS for MySQL instance.

Related operations

Operation Description
Query IP address whitelists Queries the IP address whitelists of an ApsaraDB for RDS instance.
Modify IP address whitelists Modifies an IP address whitelist of an ApsaraDB for RDS instance.